Skip to content

Instantly share code, notes, and snippets.

@lazydaemon

lazydaemon/str_decrypt.py

Created April 9, 2023 19:58
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lazydaemon/ea28be3333a33229d266339620b9c50a to your computer and use it in GitHub Desktop.
Save lazydaemon/ea28be3333a33229d266339620b9c50a to your computer and use it in GitHub Desktop.
Download ZIP
TA505 Loader & HVNC String Decryption
Raw
str_decrypt.py
from malduck.ints import UInt8
def str_decrypt(str_list: list, param: int):
for s in str_list:
x = UInt8(ord(s[1]) - 0x61)
y = UInt8((ord(s[0]) - 1) << 4)
z = x | y
i = 3
result = ''
while i <= len(s) - 1:
y = UInt8(ord(s[i - 1]) << 4)
a = UInt8(y - 0x10) | UInt8(ord(s[i]) - 0x61)
b = a ^ z ^ param # 0xc7 => 199 => first octet from DNSQuery to aav.download-cdn.com
result += chr(b)
i += 2
print(result)
# Incomplete List just for testing
loader_strings = ['hcnonamhnlnanjigihjlnbnjnj',
'pchaeneffeflfbhafledfmehfkflfifaflebggebehfmflfceggc',
'hloknfmomimjnnnapnnanandnp',
'chlgijjcjejfibimkgjcifif',
'cjjjihiaihiailjkmaikicic',
'dklejdijjiipjdjiijlcinjijdlm',
'opgbegfmenfkegenfmglehegegenelfmgj',
'cjkgjkjkjokbjoilialmiljpjliljnjkkp',
'hcpmnlmbnamhnlnambognambpkmfmbnmnknlpe',
'nbfogcgcggefhdhihceehdghgdhdgfgcfh',
'ijahcadkcldmcacldkbmclcpckaichcccl',
'maeogjhdgchfgjgchdeeglgihegcepgggjgdglgc',
'iaaocjddccdfcjccddaedfcgcecmbcdfclag',
'jcbncbcbcfaecadachcmbmdldddkbe',
'pjfbfcflanambafkfcfc',
'kncjafcdaeadboadalagadbaapcpbc',
'lfabagbdaaagfcfafafcaaahbmbgboboebeafmbhakbhfcfa',
'kmejehcpahahdjaoamacbibpaobjdiaobjbnaobjgggbapaoaheleecneleedkelejeoflejgggb',
'noekgagkgnhmhe',
'bellkhkhkdkaojpmpmlblklnlclnlalgpolalplmkglhpnlalmlopmkdlplmlclhpm',
'npelfhfoemepfjekfneeffhbhlgkhhglhhhogmeeephbhghmhhgpgldifgemeeflgngkgkhnhggmeohngkglhbhhhgeeephbhghmhhgpgl',
'ejmcolojoponphmkpmohpiolpmmdobokol',
'nkfffjfafe',
'apkmpoppplplplpopa',
'bnijjfjmioinjliijp',
'fjndmnnh',
'ongoegeggdeefjfoelegeg',
'gnpkofpjpo',
'fbnbndmc',
'nnfceoeoekdfcldecl',
'onbcelbibdeiblbibj',
'mmddgjdidjgkgogidkdddlgodkddgodpdmdcdpdngogodldndidngidcdkgjgngkdp',
'kbbebdaiacakakfffeeiadboadegee',
'dcnhnjngmh',
'lfcccgeccb',
'hcofobiepi',
'onhkhoblbkgh',
'nndehihlgo',
'jbhiddcodd',
'fapcopohplpiofpcofljpcoppclhlf',
'ghpdmpmgnenhmbncmfpmonmjmdncmpndmpmgnepmphmjmomempnhndpmodnfncncmfmonepgmfncndmjmpmopmpcnfmo',
'ebmlopofpeojpfojoapcmdocobodmhpdpcojmkohpdoiofoonjlplplplglflfocoeoclolcodldloldlblfoaodlblpldldoflaoalflglboflhlo',
'jjhlaoambbbjambpbdbkbpakbphlac',
'akkokakjodkilfkionockoonoflnkekdkkonockdonpmpnonpmpppkodpnodpnodpmoeonolonofkjkikbonocilonocjmonop',
'jehbhkhdhfhdhlcachdccbchhdhbhbhdhb',
'hcjhjm']
# Incomplete List just for testing
hvnc_strings = [
'eohlhlhdhphihbhlhjhchihehchfhihdhghhhehphdhahmhjhhhehihfhhhfhmhhhp',
'lkiailihimidinipidieieicjjikihifjjimilicifieihicigimigiaibigipimik',
'ocnlndnfnanoncnpneninininpnmnlndnlnnngnannnjncnennngndnenlnmnpninf',
'ekhhhchlhahbhphlhmhghohihmhihghmhbhfhmhphhhchghnhlhmhphogjhohchhhh',
'ialclflblalbljkdlbkdlflclhlplilolllolalplllilglglmlhlolclolalflpla',
'ekhbhhhphihhhchhhghkhphmhghphlhnhnhohkhahdhhhehbhhhphhhchnhhhihihn',
'bbceckcacnckclcpcdchcocacnckdccicacacocgcbcmcfcbcmcddccmcgcncgcidc',
'hfejeceeeafgededepeoeceneeepeoelejfgeneeemelejejeieaeheiekeeeaefek',
'opnemmnlnanknenlnkncnenonlmmngninjncngnlnbninlndnjnfnnmmmmnnnknanc',
'nboaooomolohololoeoeoaonolooooojomoiomohpconofoiokojofomonodpcodob',
'jdkdkkkfkmkglakmlakmkfkckekkkkkfkokmkmlakkkdkckmknkkklkgkdkgkgkokf',
'apdkdfdedhdndhdkdddodhdbdhdgdddgcmdpdecmdkdldpdbdedkdgdcdbdcdkcmdf',
'naoionoaoaolohokoeomoboeologonobobocohohomojojononocomoeofpdpdofoj',
'niokogoaogobobogogonohopopoeomogodplobohoeocogocplojoeonofonobocod',
'mfonkdkbkpkppckppekallkokfkckfllkcpfkekallkpphpekallkdpckephpckfkpkokokcpfpdolliooogpp',
'fbhjgdgddkdddagaghghcpdlghdldacpdgdkgagdcpdldhdfdccpdhgegdgedcgbgeghdadhdfdkhpcmhkhcgl',
'dmbefkfgakaofkajfnfgecfjakaofgecflfpanfkecfhfmamalecfgfmfifnflfganfpfpfoakfobcebbhbpag',
'gfenfcaofcfcfaffaefhblapabfcapblacffaaagblaofeadafbladfdfcfcaeapapfeaaaaabacelbieoegfp',
'bkdchockhnhlcmcmcihigeclhkcmhngehnclcmhngecihmhpcpgehbhlcihmhbhmhlclhihlcnckdeghdbdjca',
'ngpoohlgoalmldohlaodkiohlaohodkilnohlblnkilnlbldohkilalhodlblglflgldlaoalnlfpiklpnpfom',
'kbijjhjamdjejamhmfjanpjbjdmbjgnpmgmemamgnpjdmkmgmdnpmfmamkjejgjamamkmgmhmhjeipnmikicjl',
'dbbjfffefhflfeahfbfcepahabagaaepfgffffadepflfdaeagepabfcfkaefafcfdfkagaefdadbpembkbcal',
'pppmnomdmkmfmamjnpid',
'iojekoiplilblmkjleklli',
'hphmenfiee',
'mmlnlplcpbpalconpkpcpaolpklplcoponpapjpgpdpklpln',
'gkfpfaelfmfpfgebbhfmebfm',
'cgdibkapbmbjbjbedgbkbiafbkagbmabbkahccbmblbbbkacdgbjbeagag',
'pjpgnjnomfnimlmnmp',
'lplaijjejiijicjpifidicjp',
'kojojmjojfjimp',
'hoeoemeoefei',
'ffgcghhcghhegdhggjhehcgpgigb',
'bfclcpcicpccddcldgdf',
'khihjmjfjajbignjjhjfjhjmjb',
'bkafcgckcccmcn',
'kcknibidjejhicnpjlic',
'njkikkkhoeofompiolohopohoppionodoeonkkkhoeofocoloeonpiopojofpmoppipdkkkhoeofohoppionopkkkioloiofpppolaoiogoloeob',
'gmfgfkehepfdfaenfkbbfkehfk',
'ccccdodhcfcgdacddecndmbibcadboacbobhafcncgbibpbfboagacfbdpcfcndcaeadadbebpafchbeadacbibobp']
str_decrypt(loader_strings, 0xc7)
print('-' * 80)
str_decrypt(hvnc_strings, 0x53)
@lazydaemon
Copy link
Author

Results:

kernel32.dll
ExpandEnvironmentStringsW
VirtualAlloc
VirtualFree
wininet.dll
InternetOpenA
InternetConnectA
HttpOpenRequestA
InternetSetOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
InternetCrackUrlA
HttpQueryInfoA
ole32.dll
CoInitializeEx
start "" rundll32.exe "
",DllRegisterServer
del /F /Q "%0"

System
https://binance-cloud.com/pload/
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LegacyDriverMode
HDMI
d6733368
SOFTWARE
MSI
DllInstall
POST
GET
HTTP/1.1
8a29b123
8b32aec180e18e47946ee0636c91bfa4
rundll32.exe "
",#2
PT0S
PT1M
PT10M
.bat
.exe
explorer.exe "
Software\Microsoft\Windows\CurrentVersion\Run
MicrosoftEdgeAutoLaunch_999033dbd84e58573fe7955c6f307c18
%PROGRAMDATA%\
cmd.exe /c (ping /n 10 127.0.0.1) & (del /F /Q "
") & (start "" "
")
--------------------------------------------------------------------------------
ffnbelfdoeiohenkjibnmadjiehjhajb
ibnejdfjmmkpcnlpebklmnkoeoihofec
jbdaocneiiinmjbjlgalhcelgbejmnid
nkbihfbeogaeaoehlefnkodbefgpgknn
afbcbjpbpfadlkmhmclhkeeodmamcflc
hnfanknocfeofbddgcijnmhnfnkdnaad
fhbohimaelbohpjbbldcngcnapndodjp
odbfpeeihdkbihmopkbjmoonfanlbfcl
hpglfhgfnhbgpjdenjgmdgoeiappafln
blnieiiffboillknjnepogjhkgnoapac
cjelfplplebdjjenllpjcblmjkfcffne
fihkakfobkmkjojpchpfgcmhfjnmnfpi
kncchdigobghenbbaddojjnnaogfppfj
amkmjjmmflddogmhpjloimipbofnfjih
{5799d9b6-8343-4c26-9ab6-5d2ad39884ce}.xpi
{aa812bee-9e92-48ba-9570-5faf0cfe2578}.xpi
{59ea5f29-6ea9-40b5-83cd-937249b001e1}.xpi
{d8ddfc2a-97d9-4c60-8b53-5edd299b6674}.xpi
{7c42eea1-b3e4-4be4-a56f-82a5852b12dc}.xpi
{b3e96b5f-b5bf-8b48-846b-52f430365e80}.xpi
{eb1fb57b-ca3d-4624-a841-728fdb28455f}.xpi
{76596e30-ecdb-477a-91fd-c08f2018df1a}.xpi
Profiles/
IsRelative
Path
" -no-remote -profile "
firefox.exe
MozillaCompositorWindowClass
\storage
\extensions
cache2
cache
datareporting
minidumps
shader-cache
Locked
\prefs.js
" -noframemerging -nohangrecovery -nomerge "about:blank
iexplore.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment